Auto remediation in cloud computing is one of several available options when configuring a cloud management platform with policy-driven automation capabilities. When used with the other available options, auto remediation can enhance your business’s cloud governance.
Although some cloud users may not be familiar with the term “assistive remediation”, most are familiar with the concept. In assistive remediation, a cloud monitoring solution alerts you to an event which violates a cloud management policy and usually provides an explanation of how the policy is violated and/or a suggestion for remedying the violation.
Auto remediation takes this process one stage further by automatically remedying the event that caused the policy violation. In order to do this, the solution has to be configured in advance with what actions to take and under what circumstances. Naturally, the actions and circumstances will vary according to each business’s cloud governance policies, but examples include:
- If a block storage volume is unattached for one week, trigger a snapshot and delete the volume.
- If a resource tag is misspelled, correct the misspelling to comply with the tagging policy.
- If a root account has multi factor authentication disabled, initiate a function to enable it.
- If a storage volume tagged PII is unencrypted, encrypt the storage volume.
- If an instance has unauthorized open ports, terminate the instance.
- If a resource is launched in a non-conforming region, terminate the resource.
In some cases, as well as the policy violation being automatically remedied, system administrators will have to be informed in order to prevent the policy violation reoccurring. In other cases, it may be more appropriate to initiate an approval workflow rather than (say) terminating a resource launched in a non-compliant region. There may be a good reason for a resource being launched in a non-compliant region.
Is auto remediation always the best way to enforce cloud governance policies?
Auto remediation is a good way to enforce cloud governance policies, but it’s not the only way—and it’s certainly not the best way in some circumstances. For example, if a business has a policy stating a department cannot spend more than 100 percent of its cloud budget, you wouldn’t want the auto remediation capability to stop the department’s resources once the budget limit is reached.
Similarly, if an instance has unauthorized open ports, it is better to prevent it being launched at all rather than identify and remedy the policy violation retrospectively. This is because, by the time the policy violation is identified and acted upon, it may be too late to prevent a data breach or other security issue. For this reason, auto remediation should be used in conjunction with other options.
What are the other options for automated cloud governance?
Cloud management platforms with policy-driven governance capabilities vary in their capabilities. As cloud management platforms evolve, it’s fair to assume new capabilities will be launched to help businesses meet evolving challenges. Nonetheless, at a minimum, a cloud management platform should give businesses at least these five options:
Alert. The need for alerting administrators to budget overspend rather than stopping a department’s resources is obvious. In circumstances such as these, it is more appropriate to set up an alert for when a budget is projected to exceed its limit so budget owners have time to address what is causing the overspend—or get the budget limit increased.
Initiate Approval Workflow. Cloud governance is also an evolving factor in cloud computing, and businesses wishing to take full advantage of opportunities in the cloud will have to update their cloud governance policies from time to time. For this reason there should be a process in place for users to request permission for activities that existing cloud governance policies don’t currently allow.
Auto Remediation. Auto remediation can be an appropriate way to control costs, improve performance, and prevent security issues, but it is important to remember it is a retrospective measure rather than a proactive measure. Rather than adopt auto remediation too enthusiastically, businesses are advised to consider measures that prevent policy violations.
Preventative Actions. In the same way as a cloud management platform with policy-driven automation capabilities can be configured to remedy policy violations, it can also be configured to prevent them occurring. Examples of preventative actions include blocking the launch of instances with unauthorized open ports or revoking user access if users log into an account from an unrecognized IP address.
Avoid. One of the primary causes of uncontrolled costs, performance inefficiencies, and security issues in the cloud is application misconfigurations. If misconfigurations can be avoided during the development stage (i.e. by using solutions such as VMware Secure State), there should be fewer policy violations requiring alerts, approval workflows, auto remediation, and preventative actions.
Additionally, creating a Cloud Center of Excellence (CCoE) can allow your company to utilize all the benefits of cloud computing and enable auto remediation. A CCoE is a cross-functional working group of people that govern the usage of the cloud across an organization and drive best practices across functions. The CCoE spans three areas of excellence: cloud financial management, cloud operations, and cloud security compliance. By creating a CCoE, your company can achieve visibility, optimization, governance and automation, and business integration into your cloud environment. Learn more about growing and best practices in a multicloud environment here.
